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Introduction 


The Information Commissioner’s Audit Committee (the Committee) 
provides scrutiny, oversight and assurance of risk control and governance 
procedures. Minutes of its meetings are available on the ICO’s website at 


www.ico.org.uk. 
Membership and attendance 


The Committee’s chair is Ailsa Beaton who is a non-executive director and 
member of the Management Board. There are two other members of the 
Audit Committee; Jane McCall who is a non-executive director and 
member of the Management Board, and Roger Barlow who is an 
independent member. 


The Committee met on 12 June 2017, 18 September 2017, 01 February 
2018, 27 April 2018 and 15 June 2018. This report was agreed at its 
meeting of 15 June 2018. 


Members’ attendance at Committee meetings is detailed in the ICO’s 
Annual Report and Accounts 2017-2018. The Information Commissioner, 
Elizabeth Denham, attended the September 2017, February 2018, April 
2018 and June 2018 meetings of the Committee. 


Representatives of the National Audit Office (NAO), the ICO’s external 
auditors, attended all of the meetings either in person or by telephone. 
Grant Thornton, who provided the ICO’s internal audit function during 
2017/18, attended all of the meetings except the June 2018 meeting; the 
internal audit opinion for 2017-18 had been provided at the April meeting 
in draft form and had been confirmed immediately afterwards. A copy was 
provided to Committee members at the June 2018 meeting. 


The new providers of the internal audit function from April 2018, Mazars, 
attended both the April and June 2018 meetings. 


Secretariat was provided by the Corporate Governance Team. 


Meetings during 2017-18 


The Committee has, as standing items at all of its meetings; 

e an update on current issues from the Information Commissioner or 
her deputies; 
a review of the risk register; 
the most recent monthly finance report; 
progress reports from the internal and external auditors; 
discussion of audit reports and performance in clearing outstanding 
internal and external audit recommendations; and 
e areview of reported fraud, whistleblowing and security incidents. 


In addition during the year the Committee considered: 
e the Annual Report & Accounts for 2016-17 and for 2017-18; 
information and cyber security at the ICO; 
ISO 270001 accreditation; 
internal audit pre-procurement; and 
the ICO’s approach to the recovery of civil monetary penalties. 


Audit 


During the year the Committee reviewed the audit plan and performance 

against it on a continual basis, and considered internal audit reviews of: 
e Investigations; 

IT procurement; 

IT supplier contract management; 

Corporate Governance; 

Expenses; 

Data Protection Law Reform follow up; and 

Follow up to audit recommendations. 


Grant Thornton made nine recommendations during the year; of which at 
the time of writing, four have been actioned and none of the outstanding 
actions were over-due. 


The Committee was pleased to note the good progress in clearing audit 
recommendations. In a few cases deadlines had slipped and the 
Committee encouraged management to discuss recommendations and 
deadlines with the auditors prior to agreeing the recommendations if at all 
unsure. 


Grant Thornton’s Annual Internal Audit Report 2017-18 concluded that, in 
the areas examined, the activities of risk management, corporate 
governance and internal controls were appropriately designed to achieve 
the objectives required, and activities and controls examined were 
operating with sufficient effectiveness to provide reasonable, but not 


absolute, assurance that the related objectives were achieved during the 
period under review. 


The NAO Audit Completion Report 2017-18 concluded that the 
Comptroller and Auditor General anticipate certifying the 2017-18 
financial statement with an unqualified audit opinion, without 
modification. 


Audit Committee Opinion 


Given the opinion of both the internal auditors and external auditors as 
expressed in their annual reports, and the other information available to it 
from its work during the year, the Audit Committee therefore provides the 
Commissioner, as Accounting Officer, with reasonable assurance that the 
ICO’s control mechanisms are working satisfactorily. 


The Committee is satisfied with the quality of internal and external audit 
and believes that by virtue of this work it is able to take a measured and 
diligent view of the quality of financial and other systems of reporting and 
control within the ICO. It is satisfied that the ICO has appropriate systems 
of internal control that work well. 


In respect of its own performance the Committee considers that it has 
directed the internal audit function towards areas relevant to the risks 
facing the ICO. It has constructively challenged both management and 
internal audit function and received a high level of cooperation and 
support from all concerned. Responses to audit recommendations are 
generally positive and the Committee is satisfied that management within 
ICO is committed to maintaining an appropriate level of internal control 
and prudent use of resources. 


This opinion feeds into the Commissioner's drafting of the Governance 


Statement for 2017-18 which was considered by the Audit Committee at 
its April 2018 and June 2018 meetings. 
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